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performed  by  malicious  nodes.  By  utilizing  a  stochastic  Petri  net  model  describing  a  delay 
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networking  behaviors,  we  analyze  the  performance  characteristics  of  trust-based  routing 
protocols  in  terms  of  message  delivery  ratio,  message  delay,  and  message  overhead  against 
connectivity-based,  epidemic  and  PROPHET  routing  protocols.  The  results  indicate  that  our 
trust-based  routing  protocols  outperform  PROPHET  and  can  approach  the  ideal  performance 
obtainable  by  epidemic  routing  in  delivery  ratio  and  message  delay,  without  incurring  high 
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1  Introduction 

A  delay  tolerant  network  (DTN)  provides  interoperable  communications  through  mobile 
nodes  with  the  characteristics  of  high  end-to-end  path  latency,  frequent  disconnection,  lim¬ 
ited  resources  (e.g.,  battery,  computational  power,  bandwidth),  and  unreliable  wireless  trans¬ 
mission.  Further,  for  DTNs  in  mobile  ad  hoc  network  (MANET)  environments,  we  also 
face  additional  challenges  due  to  a  lack  of  centralized  trusted  entity  and  this  increases  secu¬ 
rity  vulnerability  [1].  For  a  sparse  MANET  DTN,  mobility-assisted  routing  based  on  store- 
carry -and- forward  method  has  been  used.  That  is,  a  message  carrier  forwards  a  message  to 
an  encountered  node  until  the  message  reaches  a  destination  node.  In  MANET  DTN  envi¬ 
ronments,  it  is  important  to  select  a  trustworthy  node  as  a  next  message  carrier  among  all 
encountered  nodes  to  minimize  the  delay  for  a  message  to  reach  a  destination  node  as  well 
as  to  maximize  the  message  delivery  ratio.  In  this  paper,  we  consider  a  MANET  DTN  in  the 
presence  of  selfish  and  malicious  nodes  and  propose  a  family  of  trust-based  routing  protocols 
to  select  a  highly  trustworthy  next  message  carrier  with  the  goal  of  maximizing  the  message 
delivery  ratio  without  incurring  a  high  delay  or  a  high  message  overhead. 

In  the  literature,  DTN  routing  protocols  based  on  encounter  patterns  have  been  investi¬ 
gated  [2-4].  However,  if  the  predicted  encounter  does  not  happen,  then  messages  would  be 
lost  for  single-copy  routing,  or  flooded  for  multi-copy  routing.  Moreover,  these  approaches 
could  not  guarantee  reliable  message  delivery  due  to  the  presence  of  selfish  or  malicious 
nodes.  The  vulnerability  of  DTN  routing  to  node  selfishness  was  well  studied  in  [5,6].  Sev¬ 
eral  recent  studies  [7-9]  considered  using  reputation  in  selecting  message  carriers  among 
encountered  nodes  for  DTNs.  Nevertheless,  [7,9]  assumed  that  a  centralized  entity  exists  for 
credit  management,  and  [8]  merely  used  reputation  to  judge  if  the  system  should  switch  from 
reputation-based  routing  to  multipath  routing  when  many  selfish  nodes  exist. 

There  is  very  little  research  to  date  on  the  social  aspect  of  trust  management  for  DTN  rout¬ 
ing.  Social  relationship  and  social  networking  were  considered  as  criteria  to  select  message 
carriers  in  a  MANET  DTN  [10, 1 1].  However,  no  consideration  was  given  to  the  presence  of 
malicious  or  selfish  nodes.  Very  recently,  [12]  considered  routing  by  socially  selfish  nodes 
in  DTNs,  taking  into  consideration  the  willingness  of  a  socially  selfish  node  to  forward  mes¬ 
sages  to  the  destination  node  because  of  social  ties.  Unlike  prior  work  cited  above,  in  this 
paper,  we  integrate  social  trust  and  Quality  of  Service  (QoS)  trust  into  a  composite  trust 
metric  for  determining  the  best  node  among  the  new  encounters  for  message  forwarding, 
extending  from  our  preliminary  work  [13].  We  consider  honesty  and  unselfishness  for  social 
trust  to  account  for  a  node’s  trustworthiness  for  message  delivery,  and  connectivity  for  QoS 
trust  to  account  for  a  node’s  capability  to  quickly  deliver  the  message  to  the  destination  node. 
By  assigning  various  weights  associated  with  these  QoS  and  social  trust  properties,  we  form 
a  class  of  DTN  routing  protocols,  from  which  we  examine  two  versions  of  the  trust  man¬ 
agement  protocol  in  this  paper:  an  equal- weight  QoS  and  social  trust  management  protocol 
(called  trust-based  routing  for  short)  and  a  QoS  trust  only  management  protocol  (called  con¬ 
nectivity-based  routing  for  short).  We  analyze  and  compare  the  performance  characteristics  of 
trust-based  routing  and  connectivity -based  routing  protocols  with  epidemic  routing  [14]  and 
PROPHET  [15]  for  a  DTN  consisting  of  heterogeneous  mobile  nodes  with  vastly  different 
social  and  networking  behaviors.  The  results  indicate  that  our  trust-based  routing  protocols 
outperform  PROPHET  and  can  approach  the  ideal  performance  obtainable  by  epidemic  rout¬ 
ing  in  delivery  ratio  and  message  delay,  without  incurring  high  message  overhead.  Further, 
integrated  social  and  QoS  trust-based  protocols  can  effectively  trade  off  message  delay  for 
a  significant  gain  in  message  delivery  ratio  and  message  overhead  over  connectivity-based 
routing  protocols. 


<£)  Springer 


Integrated  Social  and  QoS  Trust-Based  Routing  in  Delay  Tolerant  Networks 


2  System  Model 

We  consider  a  MANET  DTN  environment  with  no  centralized  trusted  authority.  Nodes  com¬ 
municate  through  multiple  hops.  Every  node  may  have  a  different  level  of  energy  and  speed 
reflecting  node  heterogeneity.  We  differentiate  selfish  nodes  from  malicious  nodes.  A  selfish 
node  acts  for  its  own  interest.  So  it  may  drop  packets  arbitrarily  just  to  save  energy  but  it  may 
decide  to  forward  a  packet  if  it  has  good  social  ties  with  the  destination  node.  A  malicious 
node  acts  maliciously  with  the  intention  to  disrupt  the  main  functionality  of  the  DTN,  so  it 
can  drop  packets,  jam  the  wireless  channel,  perform  bad-mouthing  attacks  (provide  negative 
recommendations  against  good  nodes),  perform  good-mouthing  attacks  (provide  positive 
recommendations  for  other  colluding  malicious  nodes)  and  even  forge  packets.  In  the  paper, 
we  will  use  the  terms  a  malicious  node,  a  compromised  node,  and  a  bad  node  interchangeably. 

We  consider  the  following  model  to  describe  a  node’s  behaviors.  If  a  node  is  selfish,  the 
speed  of  energy  consumption  is  slowed  down  and  vice  versa.  If  a  node  is  compromised,  the 
speed  of  energy  consumption  will  increase  since  the  node  may  have  a  chance  to  perform 
attacks  which  may  consume  more  energy,  e.g.,  disseminating  bogus  messages.  We  also  con¬ 
sider  redemption  mechanism  for  a  selfish  node  to  have  a  second  chance.  That  is,  a  selfish 
node  may  become  unselfish  again,  especially  when  its  energy  is  still  high  compared  with  its 
peers.  We  assume  that  each  node  has  a  pair  of  pre-distributed  public/private  keys  which  can 
be  used  for  packet  authentication  and  preventing  spoofing  attacks. 

A  node’s  trust  value  is  assessed  based  on  direct  observations  and  indirect  information  like 
recommendations.  The  trust  of  one  node  toward  another  node  is  updated  upon  encounter 
events.  Our  trust  metric  consists  of  two  trust  types:  QoS  trust  and  social  trust.  QoS  trust  is 
evaluated  through  the  communication  by  the  capability  of  a  node  to  deliver  messages  to  the 
destination  node.  We  consider  connectivity  to  measure  the  QoS  trust  level  of  a  node.  Social 
trust  is  based  on  social  relationships.  We  consider  unselfishness  and  honesty  to  measure  the 
social  trust  level  of  a  node.  Different  from  most  existing  encounter-based  routing  protocols 
which  considered  only  connectivity,  we  consider  social  trust  in  addition  to  QoS  trust  in  order 
to  select  more  trustworthy  message  carriers  among  encountered  nodes.  It  is  worth  noting  that 
unselfishness  traditionally  has  been  considered  as  a  QoS  trust  metric  [16]  to  measure  the 
extent  to  which  a  node  cooperates  with  other  nodes  to  conform  to  protocol  execution.  Here 
we  consider  unselfishness  as  a  social  trust  metric  to  measure  if  a  node  is  socially  willing 
to  route  packets  passed  to  it  in  a  DTN,  thereby  modeling  the  social  behavior  exhibited  by 
a  selfish  node.  We  define  a  node’s  trust  level  as  a  real  number  in  the  range  of  [0,  1],  with  1 
indicating  complete  trust,  0.5  ignorance,  and  0  complete  distrust. 

There  is  no  centralized  intrusion  detection  system  (IDS)  as  it  may  be  infeasible  to  imple¬ 
ment  an  efficient  IDS  in  a  DTN  environment  because  of  the  sparseness  of  nodes  and  small 
chances  for  certain  nodes  to  encounter  or  connect  to  each  other.  Each  node  will  execute  the 
trust  protocol  independently  and  will  perform  its  direct  trust  assessment  toward  an  encoun¬ 
tered  node  based  on  specific  detection  mechanisms  designed  for  detecting  a  trust  property  X , 
with  X  =  connectivity,  unselfishness,  or  honesty.  In  the  paper,  we  will  discuss  these  specific 
detection  mechanisms  employed  in  our  protocol. 


3  Trust  Management  for  Message  Routing 

The  trust  value  of  node  j  as  evaluated  by  node  i  at  time  t,  denoted  as  7 )j  (t),  is  computed  by  a 
weighted  average  of  connectivity,  honesty,  and  unselfishness  trust  components.  Specifically 
node  i  will  compute  7j-j  (t)  by: 
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Tu  (0 


r^e— connectivity  s.\  .  ^d— connectivity  ^ honesty  /  ,\ 

w\Ti  j  y{t)  +  w1Ti  j  y(t)  +  w3 TUj  y  (t) 

muns  el  fishness 

+  m  TtJ  (0 


(l) 


where  w\  :  u>2  :  W3  :  W4  is  the  weight  ratio  with  u>i  +  102  +  ^3  +  ^4  =  1.  Of  these  trust 
components  (or  properties)  in  Eq.  1,  j^~connectimty  ^  [ s  about  node  i’s  belief  in  node  V s 
encounter  connectivity  to  node  7,  representing  the  delay  of  node  i  passing  the  message  to 
node  j,  T?J connectlvlty  is  about  node  / ’s  belief  in  node  j9 s  connectivity  to  the  destination 
node  J,  representing  the  delay  of  node  j  passing  the  message  to  node  d,  T^nesty  (j)  [ s  about 

node  i’s  belief  in  node  j’s  honesty,  and  j^selflshness  [ s  about  node  i’s  belief  in  node  j’s 

unselfishness. 

The  reason  of  considering  both  e-connectivity  and  d- connectivity  trust  properties  in  our 
protocol  is  given  as  follows.  The  end-to-end  delay  from  node  i’s  perspective  consists  of  the 
e-connectivity  delay  from  node  i  to  node  j  (the  next  carrier)  and  the  d-connectivity  delay 
from  node  j  to  node  d  (the  destination  node).  Thus,  both  connectivity  metrics  are  needed. 
Suppose  d-connectivity  is  only  trust  metric  for  connectivity.  If  node  i  encounters  node  j  and 
discovers  that  node  j9 s  d-connectivity  delay  is  higher  than  another  node’s  (say  node  m’s) 
d-connectivity  delay,  then  node  i  will  decide  not  to  pass  the  message  to  node  j.  This  would 
be  a  wrong  decision  in  case  node  m’s  e-connectivity  delay  +  d-connectivity  delay  actually  is 
higher  than  node  j9 s  e- connectivity  delay  (which  is  zero  upon  encounter)  +  d-connectivity 
delay.  Here  we  note  two  special  cases:  (1)  if  node  j  is  the  currently  encountered  node,  then 
^-connectivity  ^  -§  Qne^  represenqng  q^at  the  e- connectivity  delay  is  zero;  (2)  if  node  d  is 

the  currently  encountered  node,  then  both  T.  ■  ( t )  and  T.  ■  (t)  are  one, 

representing  that  both  the  e-connectivity  delay  and  d-connectivity  delay  are  zero. 

In  message  forwarding  in  DTNs,  two  most  important  performance  metrics  are  mes¬ 
sage  delivery  ratio  and  delay.  The  rationale  of  using  these  four  trust  metrics  is  to  rank 
nodes  such  that  high  7)  .  (t)  and  7)  .  (t)  represent  low  end-to-end 

delay,  while  high  jf°yesty  (f)  and  7 -unselfishness  ^  represent  high  delivery  ratio.  We  set 
Te- connectivity  (Q)  _  ’  </- connectivity  (Q)  _  Thonesty  (Q)  and  -unselfishness  (Q)  tQ .  nce  (0.5) 

since  initially  there  is  no  information  exchanged  among  nodes. 

We  define  a  minimum  trust  threshold  Tmin  also  set  to  ignorance  (0.5)  such  that  if  7)  j  ( t )  > 
Tmin,  node  i  will  consider  node  j  as  “trustworthy”  (or  plainly  as  a  good  node)  at  time  t.  When 
node  i  encounters  another  node,  say  node  m,  it  exchanges  its  encounter  history  with  node  m. 
Moreover,  if  node  i  believes  that  node  m  is  a  good  node,  i.e.,  7)?m  ( t  +  At)  >  Tmin ,  where  At 
is  the  encounter  period,  node  i  will  use  node  m  as  a  recommender  to  update  its  beliefs  toward 
other  nodes.  Specifically,  node  i  will  update  its  trust  toward  node  j  upon  encountering  node 
m  at  time  t  for  a  duration  of  At  as  follows: 


Tjfj  0 1  +  At)  =  Pi  T?ject'x  ( t  +  At)  +  p2Tfyirect’X  (t  +  At)  (2) 

Here  X  refers  to  a  trust  property  (< e-connectivity ,  d-connectivity ,  honesty ,  or  unselfishness) 
with: 


Tdirect,X  (f  +  Af)  = 
CJ 


^encounter, X  +  Af)  , 


if  m  =  j 
if  ™  #  j 


(3) 
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■  (t  +  At) ,  if  m  ^  j  and  7)?m  ( t  +  At)  >  Tr 


if  m  =  j 

if  m  ^  j  and  T[  m  {t  +  A^)  <  Tmin 


(4) 


In  Eq.  2,  fi\  is  a  weight  parameter  to  weigh  node  i’ s  own  trust  assessment  toward  node 
j  at  time  t  +  At,  i.e.,  “self-information,”  and  @2  is  a  weight  parameter  to  weigh  indirect 
information  from  the  recommender,  i.e.,  “other-information,”  with  /3\  +  f  2  =  1. 

In  Eq.  3  for  the  direct  trust  calculation  of  node  j ,  if  the  new  encounter  (node  m)  is  node 
j  itself,  then  node  i  can  directly  evaluate  node  j.  We  use  j'f!™ounter’X  ^  Af)  to  denote 
the  assessment  result  of  node  i  toward  node  m  in  trust  property  X  based  on  node  V s  past 
experiences  with  node  m  up  to  time  t  +  At.  This  means  that  the  value  of  j^ounterA  (j  AO 
is  assessed  based  on  node  i  ’s  direct  observations  to  node  m  collected  while  they  encountered 
with  each  other  (including  the  current  encounter)  over  the  time  period  [0,  t  +  At].  Later 
in  Sect.  5,  we  will  describe  how  this  can  be  obtained  for  each  trust  property  X.  If  the  new 
encounter  is  not  node  j ,  then  there  is  no  new  direct  information  can  be  gained  about  node  j , 
so  node  i  will  just  use  its  past  trust  toward  node  j  obtained  at  time  t. 

In  Eq.  4  for  the  indirect  trust  calculation  of  node  j ,  if  the  new  encounter  is  node  j  itself, 
then  there  is  no  indirect  recommendation  for  node  j ,  so  node  i  will  just  use  its  past  trust 
obtained  at  time  t.  If  the  new  encounter  is  not  node  j,  then  node  m  can  provide  its  recom¬ 
mendation  to  node  i  for  evaluating  node  j,  if  node  i  considers  node  m  as  trustworthy,  i.e., 
7}>w  ( t  +  At)  >  Tmin .  In  this  case,  we  must  take  into  account  node  i  ’s  belief  in  node  m  in  the 
calculation  of  j'}njiirect'X  (t  +  At).  This  models  the  decay  of  trust  as  trust  is  derived  from 
a  distant  node  as  indirect  information.  On  the  other  hand,  if  node  i  does  not  consider  node 
m  as  a  good  node  because  of  Ti,m  ( t  +  At)  <  Tmin,  then  node  i  refuses  to  take  recommen¬ 
dations  from  node  m  about  node  j,  and  will  just  use  its  past  trust  information  about  node 
j  obtained  at  time  t.  The  policy  that  recommendations  from  a  newly  encounter  node  are 
accepted  only  if  the  newly  encountered  node  is  considered  a  good  node  provides  robustness 
against  bad-mouthing  or  good-mouthing  attacks. 

(t)  in  Eq.  1  can  be  used  by  node  i  (if  it  is  a  message  carrier)  to  decide,  upon  encoun¬ 
tering  node  m,  if  it  should  forward  the  message  to  node  m  with  the  intent  to  shorten  the 
message  delay  or  improve  the  message  delivery  ratio.  We  consider  a  ^-permissible  policy 
in  this  paper,  i.e.,  node  i  will  pass  the  message  to  node  m  if  7)?m  ( t )  is  in  the  top  Q,  percentile 
among  all  7)  j  (t)r  s.  We  experiment  with  various  values  of  Q  to  trade  message  delivery  ratio 
with  message  latency. 

4  Protocol  Resiliency 

Below  we  provide  a  formal  proof  that  our  trust  management  protocol  is  resilient  against 
malicious  attacks,  including  whitewashing  attacks  (a  bad  node  washing  away  its  bad  repu¬ 
tation  by  gaining  high  trust  upon  encountering  with  another  node),  bad-mouthing  attacks  (a 
bad  node  providing  bad  recommendations  toward  a  good  node  to  ruin  its  reputation),  and 
good-mouthing  attacks  (a  bad  node  providing  good  recommendations  for  a  colluding  bad 
node  to  raise  its  reputation). 
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4. 1  Resiliency  to  Whitewashing  Attacks 

Definition  1  A  bad  node,  say  node  m,  upon  encountering  node  i  at  time  t  for  an  encoun¬ 
ter  interval  At,  is  said  to  perform  a  whitewashing  attack  successfully  against  node  i  if 
Ti,m  (0  <  Tmin  and  Ti  m  ( t  +  At)  >  Tmin. 

Lemma  1  Our  protocol  is  resilient  against  whitewashing  attacks. 

Proof  When  node  i  encounters  node  m  at  time  t  for  a  duration  of  At,  according  to  our 
protocol  7),m  ( t  +  At)  =  PiTie^lcounter  ( t  +  At)  +  fcTi,m  ( t ),  of  which  7),m  it)  <  Tmin  is 
given  (in  the  if  part)  and  T.e>founler  (t  +  A t)  <  Tmul  is  true  because  node  i  will  be  able 
to  observe  node  m’s  bad  behavior  directly  based  on  node  V s  past  experiences  with  node  m 
up  to  time  t  +  At,  including  the  current  encounter.  Taking  the  fact  that  +  /?2  =  1,  we 
obtain  7)?m  (t  +  At)  <  Tmin.  Thus,  it  is  impossible  that  a  bad  node  can  successfully  perform 
a  whitewashing  attack.  □ 


4.2  Resiliency  to  Bad-Mouthing  Attacks 

Definition  2  A  bad  node,  say  node  m,  upon  encountering  node  i  at  time  t  for  an  encounter 
interval  At,  is  said  to  perform  a  bad-mouthing  attack  successfully  against  a  good  node,  say 
node  j ,  if  T\j  (t)  >  Tm{n  and  T\  j  (t  +  At)  <  Tm\n. 

Lemma  2  Our  protocol  is  resilient  against  bad-mouthing  attacks. 

Proof  The  proof  hinges  on  proving  (t  +  At)  <  Tmin  and  therefore  node  i  will  refuse 
to  take  recommendations  from  node  m  about  node  j.  Utilizing  the  proof  to  Lemma  1  and 
the  fact  that  7}j/n  (t)  <  Tmin  is  true  (because  we  set  the  initial  trust  value  to  ignorance,  i.e., 
7/>m  (0)  =  Tmin,  making  it  impossible  for  a  bad  node  to  gain  trustworthy  status  at  time  t ), 
we  know  7)?m  ( t  +  At)  <  Tmin  is  true.  Consequently,  node  i  will  not  take  recommendations 
from  node  m  about  node  j .  According  to  our  protocol,  7)j  ( t  +  At)  =  (ty+fcTij  ( t ). 

This  leads  to  7)  j  ( t  +  At)  >  Tmin  because  fi\  +  =  1  and  7)  j  ( t )  >  Tmin  is  given  (in  the 

if  part).  Therefore,  it  is  impossible  that  a  bad  node  can  successfully  perform  a  bad-mouthing 
attack.  □ 


4.3  Resiliency  to  Good-Mouthing  Attacks 

Definition  3  A  bad  node,  say  node  m,  upon  encountering  node  i  at  time  t  for  an  encounter 
interval  At,  is  said  to  perform  a  good-mouthing  attack  successfully  for  a  bad  node,  say  node 
k,  if  Tit  (0  <  Tmin  and  Tuk  (; t  +  At)  >  Tmin. 

Lemma  3  Our  protocol  is  resilient  against  good-mouthing  attacks. 

Proof  Following  the  proof  to  Lemma  1,  we  know  that  7}>m  (t  +  At)  <  Tmin  is  true.  Hence, 
node  i  refuses  to  take  recommendations  from  node  m  about  node  k  and  7)^  (t  +  At)  = 
P\Ti'k  (t)  +  P2 Tifk  (t)  according  to  our  protocol.  This  leads  to  7}^  (t  +  At)  <  Tmin  because 
ySi  H-  yS2  =  1  and  7)^  (t)  <  Tmin  is  given  (in  the  if  part).  Therefore,  it  is  impossible  that  a 
bad  node  can  successfully  perform  a  good-mouthing  attack.  □ 
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Fig.  1  SPN  model 
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5  Performance  Model 

We  analyze  the  performance  of  the  proposed  trust-based  routing  protocol  for  DTN  message 
forwarding  by  a  probability  model  based  on  stochastic  Petri  net  (SPN)  techniques  [17]  due 
to  its  ability  to  handle  a  large  number  of  states. 

5.1  SPN  Model  to  Yield  Ground  Truth 

We  develop  an  SPN  model  to  yield  dynamic  ground  truth  information  of  nodes  in  the  example 
DTN  described  in  Sect.  2.  The  SPN  model  is  shown  in  Fig.  1.  The  SPN  model  describes  a 
node’s  lifetime  in  the  presence  of  selfish  and  malicious  nodes.  It  is  used  to  obtain  each  node’s 
information  (e.g.,  connectivity,  honesty,  and  unselfishness)  and  to  derive  the  trust  relationship 
with  other  nodes  in  the  system. 

Without  loss  of  generality,  we  consider  a  square- shaped  operational  area  consisting  of 
m  x  m  sub-grid  areas  with  the  width  and  height  equal  to  the  radio  range  ( R ).  Initially  nodes 
are  randomly  distributed  over  the  operational  area  based  on  uniform  distribution.  A  node 
randomly  moves  to  one  of  four  locations  in  four  directions  (i.e.,  north,  west,  south,  and  east) 
in  accordance  with  its  mobility  rate.  To  avoid  end-effects,  movement  is  wrapped  around  (i.e., 
a  torus  is  assumed).  The  SPN  model  produces  the  probability  that  a  node,  say  node  i,  is  in  a 
particular  location  L  at  time  t.  This  information  along  with  the  location  information  of  other 
nodes  at  time  t  (derived  from  these  nodes’  SPN  models)  provides  us  the  probability  of  two 
nodes  encountering  with  each  other,  and  how  often  two  nodes  exchange  encounter  histories 
to  update  T*.  ( t ) . 

Below  we  explain  how  we  construct  the  SPN  model  for  describing  a  node’s  behavior  in 
terms  of  its  location,  energy,  honesty,  and  selfishness  status. 


5.1.1  Location 

Transition  T_LOCATION  is  triggered  when  the  node  moves  to  a  randomly  selected  area  out 
of  four  different  directions  from  its  current  location  with  the  rate  being  calculated  as  o/R 
based  on  its  speed  o  and  wireless  radio  range  R. 


5.1.2  Connectivity 

Connectivity  of  node  i  to  node  j  is  measured  by  the  time- averaged  probability  that  node  i 
and  node  j  are  within  one-hop  during  [0,  t  +  At] .  This  can  be  obtained  by  knowledge  of 
location  probabilities  of  node  i  and  node  j  during  [0,  t  +  A*]. 
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5.1.3  Energy 

Place  Energy  represents  the  current  energy  level  of  a  node.  An  initial  energy  level  of  each 
node  is  assigned  according  to  node  heterogeneity  information.  A  token  is  taken  out  when 
transition  T_ENERGY  fires.  The  transition  rate  of  T_ENERGY  is  adjusted  on  the  fly  based 
on  a  node’s  state.  It  is  lower  when  a  node  is  selfish  to  save  energy;  it  is  higher  when  the 
node  is  compromised  so  that  it  performs  attacks  more  and  consumes  energy  more.  We  use 
the  energy  model  in  [16]  to  adjust  the  rate  to  consume  one  token  in  place  Energy  based  on  a 
node’s  state. 


5.1.4  Honesty 

A  node  is  either  good  or  bad.  We  distinguish  a  bad  (or  compromised)  node  from  a  good 
node  by  placing  a  token  in  place  CN.  A  bad  node  can  perform  various  attacks  including 
white  washing,  good  mouthing  and  bad  mouthing  attacks,  thus  exhibiting  dishonest  behav¬ 
iors.  When  a  node  encounters  another  node,  it  will  perform  a  direct  trust  assessment  of  the 
encountered  node  in  the  honest  trust  property  based  on  specific  detection  mechanisms  devised 
for  detecting  dishonesty  (to  be  described  later). 


5.1.5  Selfishness 

Place  SN  represents  whether  a  node  is  selfish  or  not.  If  a  node  becomes  selfish,  a  token  goes 
to  SN  by  triggering  T_SELEISH.  We  model  a  node’s  selfish  behavior  as  a  function  of  its 
remaining  energy.  Specifically,  the  transition  rate  to  T_SELE1SH  is  given  by: 

.  ^  f(E  remain ) 

rate  (T_SELFI SH)  =  -  (5) 

At 

where  At  is  the  duration  between  two  encountering  events  over  which  a  node  may  decide 
to  become  selfish.  The  form  /  (y)  =  a\ y~Sl  follows  the  demand-pricing  relationship  in 
Economics  [18]  to  model  the  effect  of  its  argument  y  on  the  selfishness  behavior,  such  that 
f(E remain)  models  the  behavior  that  a  node  with  a  higher  level  of  energy  is  less  likely  to  be 
selfish.  Similarly  a  selfish  node  may  become  unselfish  again  through  transition  T_REDEMP. 
The  redemption  rate  is  modeled  in  a  similar  way  as: 

rate  (T_RE DEM P)  =  -  (6) 

At 

where  g  (y)  =  012 y~£2  and  Econsumed  is  the  amount  of  energy  consumed  as  given  by  Eq  — 
Eremain  and  At  is  the  encountering  interval  over  which  a  selfish  node  may  decide  to  become 
unselfish  again,  g  ( Econsumed )  models  the  behavior  that  a  node  with  a  lower  level  of  energy 
will  more  likely  stay  selfish  to  further  save  its  energy  considering  its  own  individual  benefit. 

5.2  Trust  Assessment 

Leveraging  the  SPN  model  described  which  yields  ground  truth  information  of  node  Vs  sta¬ 
tus,  we  can  calculate  Tx.  (t  +  At)  as  follows.  In  practice,  T.x.  (t  +  At)  is  obtained  by  node  i 
by  following  the  protocol  execution  at  runtime.  The  computational  procedure  devised  below 
is  to  predict  Tx-  {t  +  At)  that  would  be  obtained  by  node  i.  Our  assertion  is  that  the  detec¬ 
tion  mechanisms  used  by  a  node  for  trust  assessment  of  property  X  of  an  encountered  node 


<£)  Springer 


Integrated  Social  and  QoS  Trust-Based  Routing  in  Delay  Tolerant  Networks 


will  be  effective  and  fairly  accurate.  Thus,  j^ounterA  (j  a?)  assessed  by  node  i  will  be 

close  to  ground  truth.  Consequently,  j^ounterA  _|_  A?)  is  predicted  to  be  the  same  as  the 
ground  truth  status  of  node  m  in  trust  property  X,  as  provided  from  the  SPN  output.  Below 
we  discuss  specific  detection  mechanisms  used  by  node  i  to  assess  node  m  upon  encounter 
to  satisfy  the  assertion. 

•  Tt  m  J  (t  +  At):  This  refers  to  the  belief  of  node  i  about  its  connectivity 

to  node  m  based  on  node  V s  encountering  experiences.  The  specific  detection  mech¬ 
anism  used  is  counter-based.  That  is,  node  i  keeps  track  of  the  numbers  of  encoun¬ 
ters  it  has  had  with  all  other  nodes  in  the  DTN  up  to  time  t  At  and  computes 
^encounter, e-connectivity  ^  ^  ^  the  rati0  0f  the  number  of  encounters  between  node 

i  and  node  m  to  the  maximum  number  of  encounters  between  node  i  and  any  other  node 
during  [0,  t  +  At]. 

•  j^ounter'd~connectl  m  ty  AO:  This  refers  to  the  belief  of  node  i  about  the  connectivity 
between  node  m  and  node  d  based  on  node  V s  encountering  experiences.  The  specific 
detection  mechanism  used  is  also  counter-based.  It  can  be  computed  by  the  ratio  of  the 
number  of  encounters  between  node  m  and  node  d  to  the  maximum  number  of  encounters 
between  node  d  and  any  other  node  over  the  time  period  [0,  t  +  A^]  all  based  on  node 
V s  observations.  Note  that  node  i  can  observe  node  m  encountering  node  d  only  if  both 
node  m  and  node  d  are  within  1-hop  range  of  node  i.  Thus,  by  consulting  its  encounter 
history  with  all  nodes,  node  i  will  be  able  to  calculate  j^ounter'd~connectlvlty  (j  a^) 
for  the  connectivity  of  node  m  to  node  d. 

•  T^ounter,honesty  ( t  +  AO:  This  refers  to  the  belief  of  node  i  that  node  m  is  honest  based 
on  direct  observation  experiences  with  node  m  during  encounters.  Since  a  compromised 
node  will  perform  attacks  and  exhibit  dishonest  behaviors,  the  specific  mechanisms  used 
are  anomaly  detection  or  intrusion  detection  techniques  [19,20].  Specifically,  node  i 
monitors  node  ra’s  dishonest  evidences  including  dishonest  trust  recommendation,  irreg¬ 
ular  packet  patterns,  and  abnormal  traffic  while  they  encountered  including  the  current 
encounter.  Then  it  computes  j^ounter'honesty  a^)  by  the  ratio  of  the  number  of  bad 
honesty  experiences  to  the  total  number  of  honesty  experiences. 

•  Tt  m  (t  +  At):  This  refers  to  the  belief  of  node  i  that  node  m  is  willing 

to  deliver  messages.  In  traditional  MANETs,  a  node’s  selfishness  can  be  detected  by 
using  snooping  and  overhearing  techniques.  However,  in  DTNs  messages  are  delivered 
in  a  store-and-forward  fashion,  thus  snooping  and  overhearing  may  not  be  feasible.  Our 
specific  detection  mechanism  for  detecting  unselfishness  is  signature-based,  leveraging 
the  private/public  keys  for  message  authentication.  Specifically,  when  node  i  encounters 
node  j  and  passes  a  message  to  node  j ,  if  node  j  is  not  selfish  it  will  forward  the  message 
and  acknowledge  node  i  with  the  same  message  signed  with  its  private  key.  Afterwards, 
when  node  i  and  node  m  encounter  each  other,  they  exchange  message  signatures  and 
verify  each  exchanged  message  signature  by  the  receiver’s  public  key.  Since  each  mes¬ 
sage  is  unique,  a  bad  node  cannot  apply  replication  attacks.  An  unselfish  node  therefore 
will  have  more  verified  message  signatures  than  a  selfish  node.  Node  i  then  computes 
Tim  J  {t  +  At)  by  the  ratio  of  the  number  of  verified  message  signatures 

received  from  node  m  to  the  maximum  number  of  verified  message  signatures  received 
from  any  other  node. 

As  a  result  of  applying  the  above  detection  mechanisms  for  trust  property  X , 
jencounter,x  ^  Af)  obtained  by  node  i  would  be  close  to  the  ground  truth  status  of 
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Table  1  Default  parameter 
values  used 


Param 

Value 

m  x  m 

8x8 

a\ 

4 

Eo 

[12,24]  h 

R 

250  m 

ot2 

0.5 

Q 

90% 

Emin 

0.5 

1.6 

At 

300  s 

cr 

[0,  2]  m/s 

hi  ■  hi 

0.8:0.2 

N 

20 

node  m  at  time  t  which  can  be  easily  obtained  from  the  SPN  model  output.  In  particu¬ 
lar,  j^ounter'honesty  (7  A£)  in  Eq.  3  is  simply  equal  to  the  probability  that  place  CN  does 

not  contain  a  token  at  time  t  +  At,  and  j^ounter'unselflshness  _|_  At)  is  simply  equal  to 
the  probability  that  place  SN  does  not  contain  a  token  at  time  t  +  At,  both  of  which  can 
be  computed  easily  from  the  SPN  model  output.  Similarly,  j^ounter^e~connectlvlty  (j  a t ) 
is  simply  equal  to  the  time-averaged  probability  that  node  i  and  node  m  are  within  one- 
hop  during  [0,  t  +  At]  and  7 ^ounter'd~connectlvlty  ^t)  is  equal  to  the  time-averaged 
probability  that  node  m  and  node  d  are  within  one-hop  during  [0,  t  +  At],  both  of  which 
can  be  obtained  by  utilizing  the  SPN  model  output  regarding  the  node  location  probability. 
Once  T^ounter'X  (f  a t )  is  obtained  at  each  encounter  time,  node  i  computes  TXj  ( t  +  At) 
based  on  Eq.  2,  and  subsequently,  obtains  7)j  ( t  +  At)  based  on  Eq.  1. 


6  Results 

Below  we  show  numerical  results  and  provide  physical  interpretation  of  the  results  obtained. 
Table  1  lists  the  default  parameter  values  used.  For  trust-based  routing,  we  set  w\  :  W2  :  u>3  : 
K4  =  0.25  :  0.25  :  0.25  :  0.25  for  e-connectivity:  d-connectivity:  honesty:  unselfishness, 
while  for  connectivity-basedrouting,  we  set  w\  :  W2  :  u>3  :  w\  =  0.5  :  0.5  :  0  :  0.  We  setup 
Af  =  20  nodes  with  vastly  different  initial  energy  levels  in  the  system  moving  randomly  in 
a  8  x  8  operational  region  with  the  speed  of  each  node  in  the  range  of  [0,  2]  m/s,  and  with 
each  area  covering  250  m  radio  radius.  There  are  two  sets  of  nodes,  namely,  good  nodes  and 
bad  nodes,  and  we  vary  the  percentage  of  bad  nodes  to  test  their  effect  on  the  performance 
of  our  protocol.  A  good  node  may  become  selfish  to  save  energy  and  unselfish  again  after 
redemption,  with  the  selfish  rate  defined  based  on  Eq.  5  and  redemption  rate  defined  by  Eq.  6. 
The  initial  trust  level  is  set  to  ignorance  (i.e.,  0.5)  for  all  trust  components  since  initially  nodes 
do  not  know  each  other.  We  also  set  Tmin  to  0.5  so  that  a  node  will  take  recommendations 
from  a  newly  encountered  node  only  when  its  trust  level  toward  the  newly  encountered  node 
exceeds  ignorance. 

To  reveal  which  trust  component  might  have  a  more  dominant  effect,  we  show 

j,e— connectivity  ^  j,d— connectivity  ^  j, honesty  ^  j, unselfishness  ^  for  node  i  (a  OOd 
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Fig.  2  Comparing  T.x.  ( t )  as  a  Function  of  Time,  a  Node  j  is  a  good  node,  b  Node  j  is  a  bad  node 


node)  evaluating  node  j  randomly  picked.  Other  nodes  exhibit  similar  trends  and  thus  only 
one  set  of  results  is  shown.  Figure  2a  is  for  the  case  in  which  node  j  is  a  good  node.  We  see 
that  all  trust  components  exhibit  the  same  trend.  A  good  node  initially  picks  up  its  trustwor¬ 
thy  status  (with  its  trust  level  greater  than  Tmin )  due  to  favorable  direct  evaluations  by  those 
nodes  it  encounters  and  interacts  with,  who  in  turn  pass  on  their  positive  recommendations 
to  other  nodes  they  encounter.  All  trust  components  after  their  respectively  maximum  val¬ 
ues  then  decline  as  time  progresses  because  malicious  negative  recommendations  from  bad 
nodes  performing  bad-mouthing  attacks  gradually  pick  up  advantages  against  positive  rec¬ 
ommendations  from  good  nodes.  Among  all  trust  components,  the  honesty  trust  component 
is  expected  to  contribute  the  most  to  the  trustworthy  status  of  a  good  node.  This  is  reflected 
in  Fig.  2a  which  shows  honesty  dominates  other  trust  components. 

Figure  2b  shows  Je~connectivit>’  (f)  >  jd-connectivity  (f)  5  jhonesty  (f)  ^^unselfishness 

as  a  function  of  time  for  the  case  in  which  node  j  is  a  bad  node.  Here  again  all  trust  com¬ 
ponents  exhibit  the  same  trend.  However,  the  trust  values  decrease  monotonically  over  time. 
Contrary  to  a  good  node,  a  bad  node  never  has  any  chance  to  attain  trustworthy  status,  with 
the  rapid  decline  of  honesty  and  unselfishness  especially  contributing  to  a  bad  node’s  trust 
decline.  The  result  that  a  bad  node’s  status  is  always  untrustworthy  as  demonstrated  in  Fig.  2b 
substantiates  our  claim  that  our  protocol  is  resilient  against  whitewashing,  bad-mouthing,  and 
good-mouthing  attacks  by  malicious  nodes. 

Next  we  consider  a  message  forwarding  scenario  in  which  in  each  run  we  randomly  pick  a 
source  node  s  and  a  destination  node  d.  The  source  and  destination  nodes  picked  are  always 
good  nodes.  There  is  only  a  single  copy  of  the  message  initially  given  to  node  s.  We  let  the 
system  run  for  30  min.  to  warm  up  the  system  and  start  the  message  forwarding  afterward 
in  each  run.  During  a  message-passing  run,  every  node  i  updates  its  7/j  ( t )  for  all  j’s  based 
on  Eq.  1.  In  particular,  the  current  message  carrier  uses  7}j  ( t )  to  judge  if  it  should  pass  the 
message  to  a  node  it  encounters  at  time  t.  If  the  message  carrier  is  malicious,  the  message 
is  dropped  (a  weak  attack).  If  the  message  carrier  is  selfish,  the  message  delivery  continues 
with  50%  of  the  chance.  A  message  delivery  run  is  completed  when  the  message  is  deliv¬ 
ered  to  the  destination  node,  or  the  message  is  lost  before  it  reaches  the  destination  node. 
Data  are  collected  for  1,500  runs  from  which  the  message  delivery  ratio,  delay  and  overhead 
performance  measurements  are  calculated. 

We  compare  trust-based  routing  and  connectivity-based  routing  against  two  baseline  rout¬ 
ing  protocols,  namely,  epidemic  routing  [14]  and  PROPHET  [15],  in  terms  of  message 
delivery  ratio,  delay  and  overhead  performance  metrics.  Assuming  sufficient  buffer  space, 
epidemic  routing  achieves  the  best  performance  in  delivery  ratio  and  message  delay  at  the 
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expense  of  the  worst  performance  in  delivery  overhead  (in  the  number  of  message  copies 
generated).  Thus,  epidemic  routing  provides  the  upper  bound  performance  in  delivery  ratio 
and  message  delay,  and  the  lower  bound  performance  in  delivery  overhead  against  which 
trust-based  routing  can  be  compared.  We  use  PROPHET  as  another  baseline  routing  protocol 
to  demonstrate  the  effectiveness  of  trust-based  routing  protocols  in  all  three  performance 
metrics. 

In  epidemic  routing  [14],  a  node  forwards  a  copy  of  the  message  to  any  node  it  encounters. 
Thus,  a  node  consumes  more  energy  because  it  propagates  many  redundant  message  copies 
to  the  network.  Compared  with  trust-based  routing  and  connectivity-based  routing,  however, 
epidemic  routing  saves  energy  because  it  does  not  have  the  overhead  of  trust  management. 
When  using  the  SPN  model  to  describe  a  node  executing  epidemic  routing,  we  adjust  the 
energy  consumption  rate  to  transition  T_ENERGY  in  the  “Energy”  subnet  of  the  SPN  model 
to  account  for  a  different  energy  consumption  rate. 

In  PROPHET  [15],  when  two  nodes  encounter,  they  exchange  a  delivery  predictability 
vector.  If  the  delivery  predictability  of  the  current  message  carrier  is  lower  than  that  of  the 
newly  encountered  node,  then  the  message  is  passed  from  the  current  message  carrier  to 
the  newly  encountered  node  as  the  next  carrier.  The  delivery  predictability  is  a  probabilistic 
metric  indicating  the  encounter  frequency  between  two  nodes  and  is  updated  when  two  nodes 
encounter  each  other.  It  is  similar  to  the  d- connectivity  trust  property  used  in  our  protocols 
in  predicting  the  delay  of  the  next  carrier  encountering  the  destination  node.  For  ease  of 
disposition,  we  will  loosely  refer  delivery  predictability  as  d- connectivity.  PROPHET  is  a 
multi-copy  routing  protocol  by  which  each  node  still  keeps  its  message  copy  for  future  trans¬ 
mission  after  it  sends  the  message  to  a  carrier.  For  fair  comparison,  we  consider  a  version 
of  PROPEHT,  called  PROPHET_S,  where  each  node  removes  its  message  copy  after  for¬ 
warding  it  to  another  node  and  will  not  perform  any  more  message  forwarding.  The  energy 
consumption  model  of  each  node  in  PROPHET_S  is  similar  to  trust-based  routing  protocols 
considering  only  d-connectivity.  Therefore,  in  PROPHET_S  the  energy  consumption  rate 
to  transition  T_ENERGY  in  the  SPN  model  remains  the  same  as  in  our  trust-based  routing 
protocols. 

Figure  3  shows  the  message  delivery  ratio  as  a  function  of  the  percentage  of  compromised 
and  selfish  nodes  in  the  DTN  for  trust-based  and  connectivity -based  routing  protocols.  For 
performance  comparison,  we  also  show  the  delivery  ratio  obtained  from  epidemic  routing  and 
PROPHET_S.  Here  we  see  that  trust-based  routing  outperforms  connectivity-based  routing  in 
delivery  ratio  and  its  performance  approaches  the  maximum  achievable  performance  obtain¬ 
able  from  epidemic  routing.  This  is  attributed  to  the  ability  of  trust-based  protocols  being  able 
to  differentiate  trustworthy  nodes  from  selfish  and  bad  nodes  and  select  trustworthy  nodes  to 
relay  the  message.  The  result  demonstrates  the  effectiveness  of  incorporating  social  trust  into 
the  decision  making  process  for  DTN  message  routing.  Among  all  protocols,  PROPHET_S 
performs  the  worst  in  message  delivery  ratio.  In  particular,  PROPHET_S  is  significantly 
worse  than  trust-based  routing  because  it  does  not  consider  honesty  and  unselfishness  for 
routing  decisions.  PROPHET_S  is  also  considerably  worse  than  connectivity-based  routing 
because  it  considers  only  d-connectivity  instead  of  both  e-connectivity  and  d-connectivity , 
and  the  message  is  passed  to  a  newly  encountered  node  as  long  as  the  new  encounter’s 
d-connectivity  is  better  than  that  of  the  current  message  carrier.  This  results  in  a  longer  route 
from  the  source  node  to  the  destination  node  with  a  higher  chance  to  run  into  a  malicious 
node  or  selfish  node  to  drop  the  message. 

Figure  4  shows  the  average  delay  experienced  per  message  considering  only  those  mes¬ 
sages  delivered  successfully.  Here  we  first  note  that  in  general  connectivity-based  routing 
performs  better  than  trust-based  routing  because  connectivity -based  protocols  use  the  delay 
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%  of  compromised  and  selfish  nodes 

Fig.  3  Performance  comparison  in  message  delivery  ratio 


Fig.  4  Performance  comparison  in  message  delay 


to  encounter  the  next  message  carrier  (« e-connectivity )  and  the  delay  for  the  next  message 
carrier  to  encounter  the  destination  node  ( d-connectivity )  as  the  criteria  to  select  a  message 
carrier.  The  result  suggests  that  if  delay  is  of  primary  concern,  we  should  set  the  weights 
associated  with  e-connectivity  and  d-connectivity  (QoS  trust  metrics)  higher  than  those  for 
honesty  and  unselfishness  (social  trust  metrics),  as  connectivity-based  routing  does  (by  set¬ 
ting  w\  :  W2  :  u>3  :  W4  =  0.5  :  0.5  :  0  :  0).  This  will  have  the  effect  of  trading  off  high 
delivery  ratio  for  low  delay.  Figure  4  also  shows  that  connectivity-based  routing  approaches 
the  ideal  performance  obtainable  from  epidemic  routing  as  the  percentage  of  malicious  and 
selfish  nodes  increases.  We  also  observe  that  in  general  PROPHET_S,  being  a  protocol  using 
d-connectivity  for  routing,  performs  better  than  trust-based  routing  but  worse  than  connec¬ 
tivity-based  routing.  The  reason  that  PROPHET_S  performs  worse  than  connectivity-based 
routing  is  that  it  only  compares  d-connectivity  values  of  two  encountering  nodes  for  routing 
decisions,  which  is  not  effective  in  minimizing  the  end-to-end  delay.  We  note  that  this  effect 
is  especially  pronounced  when  the  population  of  malicious  and  selfish  nodes  is  low,  since  in 
this  condition  PROPHET_S  even  performs  worse  than  trust-based  routing  which  considers 
both  e-connectivity  and  d-connectivity  as  part  of  its  trust  composition.  A  main  reason  for  this 
performance  deterioration  of  PROPHET_S  in  message  delay  when  the  population  of  mali¬ 
cious  and  selfish  nodes  is  low  is  that  in  this  condition  most  new  encounters  would  be  good 
nodes,  so  the  effect  of  connectivity  dominates  the  effect  of  node  maliciousness/selfishness  for 
deciding  the  next  message  carrier,  and  PROPHET_S  comparing  d-connectivity  values  of  two 
encountering  nodes  for  routing  decisions  is  not  effective  in  minimizing  the  end-to-end  delay. 
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Fig.  5  Performance  comparison  in  message  overhead 


Figure  5  compares  the  three  protocols  in  message  overhead  measured  by  the  number  of 
copies  forwarded  to  reach  the  destination  node  for  those  messages  successfully  delivered. 
We  see  that  trust-based  protocols  perform  comparably  with  connectivity-based  protocols 
and  both  protocols  outperform  epidemic  routing  and  PROPHET_S  considerably  in  message 
overhead.  The  reason  that  trust-based  protocols  use  slightly  more  message  copies  than  con¬ 
nectivity-based  routing  protocols  is  that  the  path  being  selected  by  trust-based  protocols 
may  not  be  the  most  direct  route  in  order  to  avoid  selfish  or  malicious  nodes.  The  reason 
that  both  trust-based  routing  and  connectivity-based  routing  outperform  PROPHET_S,  espe¬ 
cially  when  the  population  of  malicious  and  selfish  nodes  is  low,  is  that  as  explained  earlier 
PROPHET_S  tends  to  generate  a  longer  route,  thus  resulting  in  more  message  copies  being 
propagated. 

In  summary,  from  Figs.  3,  4,  5,  we  see  that  trust-based  protocols  can  effectively  trade  off 
message  delay  (Fig.  4)  for  a  significant  gain  in  message  delivery  ratio  (Fig.  3)  and  message 
overhead  (Fig.  5)  over  connectivity-based  routing,  epidemic  routing,  and  PROPHET_S. 

By  comparing  the  performance  of  trust-based  routing  (w\  :  w>2  :  w?,  :  =  0.25  :  0.25  : 

0.25  :  0.25)  and  connectivity-basedrouting  (w\  :  w>2  :  w?,  :  w\  =  0.5  :  0.5  :  0  :  0),  we  have 
demonstrated  the  effect  of  parameters  w\  :  W2  :  W3  :  W4  on  system  performance.  Figure  6 
investigates  the  effect  of  /3\  :  ^2,  on  performance  of  trust-based  protocols  with  /3\  :  P2  vary¬ 
ing  from  0.5:0. 5  to  0.9:0. 1.  We  observe  that  as  :  fc  increases  (using  a  higher  weight  on 
direct  trust),  the  message  delivery  ratio  increases  if  the  population  of  malicious/selfish  nodes 
is  low;  otherwise,  the  delivery  ratio  decreases.  This  result  means  that  when  the  population  of 
malicious/selfish  nodes  is  low,  one  should  use  a  higher  ratio  of  P\  :  ^2  to  improve  the  protocol 
performance.  We  attribute  this  to  the  fact  that  when  the  population  of  malicious/selfish  nodes 
is  low,  it  is  easy  for  any  newly  encountered  node  to  qualify  as  a  recommender  and  provide  a 
trust  recommendation  toward  all  other  nodes  in  the  DTN.  However,  because  of  trust  decay 
of  indirect  recommendations,  i.e.,  due  to  the  product  term  in  Eq.  4,  the  indirect  trust  value 
received  will  likely  decrease.  Consequently,  a  good  node  may  unnecessarily  underestimate 
the  trust  values  of  other  good  nodes  in  the  system.  To  avoid  this,  it  is  better  to  place  a  higher 
weight  on  direct  trust  if  there  are  a  lot  of  good  nodes  around  to  serve  as  recommenders.  Here, 
we  note  that  when  given  knowledge  of  the  percentage  of  malicious  and  selfish  nodes,  the 
sensitivity  analysis  performed  above  helps  identify  the  best  ratio  of  :  P2  to  maximize  the 
protocol  performance. 
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Fig.  6  Effect  of  ft  :  02  on  delivery  ratio  of  trust-based  routing 


7  Conclusion 

In  this  paper,  we  have  proposed  and  analyzed  a  class  of  trust-based  routing  protocols  in 
delay  tolerant  networks.  The  most  salient  feature  of  our  protocol  is  that  we  consider  not  only 
connectivity  (QoS  trust)  but  also  honesty  and  unselfishness  (social  trust)  properties  into  a 
composite  trust  metric  for  decision  making  in  DTN  routing  dynamically.  We  formally  proved 
that  our  protocol  is  resilient  against  whitewashing,  bad-mouthing,  and  good-mouthing  attacks 
by  malicious  nodes.  We  further  substantiated  the  claim  with  numerical  results  demonstrating 
that  a  malicious  node  will  never  attain  trustworthy  status.  Our  performance  analysis  results 
demonstrate  that  by  properly  selecting  weights  associated  with  QoS  and  social  trust  metrics 
for  trust  evaluation,  our  trust  management  protocols  can  achieve  the  ideal  performance  level 
in  delivery  ratio  and  delay  obtainable  by  epidemic  routing,  especially  as  the  percentage  of 
malicious  and  selfish  nodes  increases.  In  particular,  trust-based  protocols  that  consider  both 
social  and  QoS  trust  can  effectively  trade  off  message  delay  for  a  significant  gain  in  message 
delivery  ratio  and  message  overhead  over  connectivity-based  routing,  epidemic  routing,  and 
PROPHET  routing  protocols. 

In  the  future,  we  plan  to  investigate  other  forms  of  message  passing  such  as  multi-copy 
message  forwarding  and  other  forms  of  attacks  by  malicious  nodes  such  as  jamming,  forgery, 
and  Denial-of-Service  (DoS)  attacks.  We  also  plan  to  consider  other  trust  metrics  such  as 
technical  competence,  betweenness  centrality,  similarity,  and  social  ties  (strength)  [10]. 
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